dawnscanner 1.2.99

data/certs/paolo_at_codesake_dot_com.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDcDCCAligAwIBAgIBATANBgkqhkiG9w0BAQUFADA/MQ4wDAYDVQQDDAVwYW9s
+bzEYMBYGCgmSJomT8ixkARkWCGNvZGVzYWtlMRMwEQYKCZImiZPyLGQBGRYDY29t
+MB4XDTE0MDEyNzE3MjUwMVoXDTE1MDEyNzE3MjUwMVowPzEOMAwGA1UEAwwFcGFv
+bG8xGDAWBgoJkiaJk/IsZAEZFghjb2Rlc2FrZTETMBEGCgmSJomT8ixkARkWA2Nv
+bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+8Wwt2rmgvhbuveFjT
+ScQXrszcQbnE+KvFkkoWNs32tSJwnnJqbS4K1+nlo9k4rCu/1YpkqIVmiY3MGItG
+Faaqgnh3Kqt0kSQttiaM3nKtG7bsG+gpA3BxQ/KoulvrO9XXV8+poPBHdpP4a9mB
+TnOPnDCk3oCn98bkGk8uvbTvF1WlsEB72wjipgvH9ezZxwhznSRol9FKAJwozbf+
+JYoOtLy3FRVUxjAqZXnwUvQ/PQB2KKzqgG7C8vsScp9rOLaNMvWFXQw0q2tI2nxv
+vly5LyZnPeL70GjvJn+3CfF9Ikcy6YOxpRCPLpnK2ci1ZOG6YuEdmzixwqcdes/y
+k9ECAwEAAaN3MHUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFO4m
+wJziM8KcBxbZqMhNQI/uvuGVMB0GA1UdEQQWMBSBEnBhb2xvQGNvZGVzYWtlLmNv
+bTAdBgNVHRIEFjAUgRJwYW9sb0Bjb2Rlc2FrZS5jb20wDQYJKoZIhvcNAQEFBQAD
+ggEBACABVswewwcbZ1WSPDjnmqo64UoAa2w3MtfqPcRPN2cAReSAeZtzGdH6vsXV
+BN2MZ36RDXDMqu6roHMZDU/F69EYWVtntVa1tNR6JsNF8sD6ORTNt+WpTLluqkUt
+CaC9vqlqJuZ+idPWUC5ueuNBn3SAUqx+ETjtueJHhjwJkG8Kx36kapOFrOxMHjUT
++IcwCbIkOjnpLlhyc2iW9zhnl5BItyBEn1+g+Zv7jkJLoafoRee4Vk758GpxGiou
+Fh7BfxFDBZdj1mI2V+I+IYYMPKIouvwX3r7NTZgZ4TYuKVpOk9VSCxzhrPhnl4kb
+1LyVQIFlhF6nL0casp0ixer8N60=
+-----END CERTIFICATE-----

data/checksum/codesake-dawn-1.1.0.gem.sha512

@@ -0,0 +1 @@
+744c4729bddf79a21dac3ab40e4246294f80eddc4d1d1831995c9e3811c6ea0057007a30389cd8b8ae815b9416018a6c0557613dfcf9b3512dc2c9acac2704df

data/checksum/codesake-dawn-1.1.0.rc1.gem.sha512

@@ -0,0 +1 @@
+4b4c2cef33f0631d3c33eb70112bc87e30651e448733697542a643614ebe8df8cd4e42ee1a9eb043029f0b51a6fd1353ed4c7965d053e5bb8509bf3cfff772e0

data/checksum/codesake-dawn-1.1.1.gem.sha512

@@ -0,0 +1 @@
+27932cdcc95b44f9ebc715cfff2e66c764e13502beb5cd7775599612c108bf132f5300c0fb46e6e7fcdb84343b06bbf46cc80d6b0c1ab443bb6f6011c8557ef6

data/checksum/codesake-dawn-1.1.2.gem.sha512

@@ -0,0 +1 @@
+393bc34a0e41fd18b8f49e1637c73fe84ef948efffdca9ebda9c476613cbc90941b8dc53eca09b55575b8c2276096d22178092df59cfefc569a1c9b4db9afb10

data/checksum/codesake-dawn-1.1.3.gem.sha512

@@ -0,0 +1 @@
+997e78626b78d655ae4b733483883b9e82b24969b167cbca606524665a20189af4ebeabf3c1dffb1000a1e2e70c80bcf39130dfd9e1f0aaeabf7de6ef329d594

data/checksum/codesake-dawn-1.2.0.gem.sha512

@@ -0,0 +1 @@
+d4b0aba5ecc9277c7994170065199c3fc37c04fbb31bad844339d8b9a2c6cab162664140d5bbafae61e0c33a2e44cb4ac2ffa909b0bd59ff945c8e908fa6975d

data/checksum/codesake-dawn-1.2.99.gem.sha512

@@ -0,0 +1 @@
+4f20474fa7e63ab8ca53f3d28716dbf9a84320b600db61515d9475426d6c53579d3d0095b01d6299b2da13b5020005747d05f7052d2d22143881172b66eea304

data/dawnscanner.gemspec

@@ -0,0 +1,43 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'codesake/dawn/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "dawnscanner"
+  gem.version       = Codesake::Dawn::VERSION
+  gem.authors       = ["Paolo Perego"]
+  gem.email         = ["paolo@codesake.com"]
+  gem.description   = %q{Dawn is a security source code scanner for ruby powered code.}
+  gem.summary   = %q{Codesake::Dawn is a security source code scanner for ruby powered code.}
+  gem.homepage      = "http://dawn.codesake.com"
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.cert_chain  = ['certs/paolo_at_codesake_dot_com.pem']
+  gem.signing_key = File.expand_path("~/.ssh/paolo_at_codesake_dot_com-private_key.pem") if $0 =~ /gem\z/
+
+  gem.required_ruby_version = '>= 1.9.2'
+
+  gem.add_dependency "codesake-commons", "~> 1.0.0"
+  gem.add_dependency 'cvss'
+  gem.add_dependency 'haml'
+  gem.add_dependency 'parser'
+  gem.add_dependency 'ptools'
+  gem.add_dependency 'ruby_parser'
+  gem.add_dependency 'sys-uname'
+  gem.add_dependency 'grit'
+  gem.add_dependency 'terminal-table'
+  gem.add_dependency 'justify'
+
+  gem.add_dependency ('coveralls')
+
+  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'rspec'
+  gem.add_development_dependency('tomdoc')
+  gem.add_development_dependency('aruba')
+  gem.add_development_dependency('simplecov')
+end

data/doc/codesake-dawn.yaml.sample

@@ -0,0 +1,26 @@
+---
+config:
+  :verbose: false
+  :output: console
+  :mvc: ''
+  :gemfile_scan: false
+  :gemfile_name: ''
+  :filename: 
+  :debug: false
+  :exit_on_warn: false
+  :enabled_checks:
+  - :generic_check
+  - :code_quality
+  - :cve_bulletin
+  - :code_style
+  - :owasp_ror_cheatsheet
+  - :owasp_top_10_1
+  - :owasp_top_10_2
+  - :owasp_top_10_3
+  - :owasp_top_10_4
+  - :owasp_top_10_5
+  - :owasp_top_10_6
+  - :owasp_top_10_7
+  - :owasp_top_10_8
+  - :owasp_top_10_9
+  - :owasp_top_10_10

data/doc/dawn_1_0_announcement.md

@@ -0,0 +1,139 @@
+
+## Press announcement
+
+After 9 months of development, it's now time for Codesake::Dawn security source
+code scanner first major release.
+
+Codesake::Dawn is a static analysis security scanner for ruby written web applications.
+It supports [Sinatra](http://www.sinatrarb.com),
+[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
+frameworks. 
+
+Version 1.0 introduces 142 security checks against public bulletins since 2006,
+you can use to check the vulnerabilities introduced by third party libraries
+your web application include in its Gemfile.
+
+Writing safe code it's important, but sometimes security issues are introduced
+by third party code your application relies on. As example, consider a SQL
+Injection vulnerability introduced by Ruby on Rails framework. Despite the
+effort you spend in sanitize inputs, your web application inherits the
+vulnerability suffering as well. An attacker can easily exploit it and break
+into your database unless you upgrade the offended gem.
+
+There is a comprehensive set of command line flags you can read more by issuing
+```dawn -h``` flag or by reading [project README](https://github.com/codesake/codesake-dawn/raw/master/README.md) file.
+
+The list of security checks included in version 1.0.0 can be found online at:
+[http://dawn.codesake.com/knowledge-base](http://dawn.codesake.com/knowledge-base).
+
+You can use [facilities provided by
+github](https://github.com/codesake/codesake-dawn/issues) to submit bug
+reports, product enhancements, new security checks you want to me to add in
+future releases and even success stories.
+
+Now it's time for you to install Codesake::Dawn version 1.0.0 with the
+following command and start reviewing your code for security issues:
+
+``` 
+$ gem install codesake-dawn
+```
+
+You can find the announcement on the web here: [http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-0-released/](http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-0-released/)
+Enjoy it!
+Paolo - paolo@codesake.com
+
+## Twitter announcement
+
+### version 1.0.6
+
+@dawnscanner version 1.0.6 is out. A new security check: CVE-2014-2538 #ruby #security #rails #sinatra #padrino
+
+### version 1.0.5
+
+@dawnscanner version 1.0.5 is out. 2 new security checks: CVE-2014-2322 and CVE-2014-0036 #ruby #security #rails #sinatra #padrino
+
+### version 1.0.4
+
+@dawnscanner version 1.0.4 is out. 10 security checks actually in development were backported to master release. https://twitter.com/rubygems/status/444389931851718656 #ruby #security #rails
+
+### version 1.0.3
+
+@dawnscanner version 1.0.3 is out. It fixes the rake task that it wasn't available. https://github.com/codesake/codesake-dawn/issues/37 #sinatra #padrino #rails
+
+### version 1.0.2
+
+@dawnscanner version 1.0.2 is out. It fixes an annoying bug whit rainbow gem 2.0.0 #sinatra #padrino #rubyonrails #security #scanner 
+
+### version 1.0.1
+
+@dawnscanner version 1.0.1 is out. It fixes two minor issues about #owasp #rubyonrails #cheatsheet #sinatra #padrino #security #scanner 
+
+### version 1.0.0
+@dawnscanner version 1.0.0 is out. Read the announcement: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-0-released/ #ruby #rails #sinatra #padrina #security #scanner
+
+
+## Linkedin announcement 
+
+### version 1.0.6
+
+@dawnscanner version 1.0.6 is out. You can read the announcement here: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-6-released/
+Codesake::Dawn v1.0.6 introduces a newly released CVE bullettin: CVE-2014-2538 about a reflected xss in rack-ssl rubygem. Codesake::Dawk supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box.
+
+$ gem install codesake-dawn 
+$ have fun
+
+### version 1.0.5
+
+@dawnscanner version 1.0.5 is out. You can read the announcement here: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-5-released/
+Codesake::Dawn v1.0.5 introduces 2 newly released CVE bullettins: CVE-2014-006 and CVE-2014-2322 about a MitM Spoofing Weakness in rbovirt gem and command injection in arabic prawn gem. Codesake::Dawk supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box.
+
+$ gem install codesake-dawn 
+$ have fun
+
+### version 1.0.4
+
+@dawnscanner version 1.0.4 is out. You can read the announcement here: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-0-4-released/
+Codesake::Dawn v1.0.4 introduces 10 security checks backported from upcoming version 1.1.x and released in the latest months. Now the knowledge base has 152 security checks. Codesake::Dawk supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box.
+
+$ gem install codesake-dawn 
+$ have fun
+
+### version 1.0.3
+@dawnscanner version 1.0.3 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 142 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC framework out of the box. 
+
+Now you can add the ```require 'codesake/dawn/tasks'``` line in your Rakefile taking advantages from the rake ```dawn:run``` task
+
+https://twitter.com/rubygems/status/433913686659702784
+
+$ gem install codesake-dawn 
+$ have fun
+
+### version 1.0.2
+@dawnscanner version 1.0.2 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 142 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC framework out of the box. 
+
+
+https://twitter.com/rubygems/status/427768158284677120
+
+$ gem install codesake-dawn 
+$ have fun
+
+### version 1.0.1
+@dawnscanner version 1.0.1 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 142 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC framework out of the box. 
+
+https://twitter.com/rubygems/status/427066100367777792
+
+$ gem install codesake-dawn 
+$ have fun
+
+### version 1.0.0
+@dawnscanner version 1.0.0 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 142 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC framework out of the box. 
+
+$ gem install codesake-dawn 
+$ have fun
+
+## HN Link
+https://news.ycombinator.com/item?id=7094470
+## Reddit
+http://www.reddit.com/r/security/comments/1vr4ur/ann_codesakedawn_v100_released/
+http://www.reddit.com/r/ruby/comments/1vr4u0/ann_codesakedawn_v100_released/
+

data/doc/dawn_1_1_announcement.md

@@ -0,0 +1,67 @@
+## Press announcement
+
+The April 4th 2013, the first Codesake::Dawn import in Github happened. After
+1 year and three months later than the first major released, I'm happy to
+annonunce Codesake::Dawn 1.1.0, codename Lightning McQueen
+
+Codesake::Dawn is a source code scanner designed to review your code for
+security issues.
+
+Codesake::Dawn is able to scan your ruby standalone programs but its main usage
+is to deal with web applications. It supports applications written using majors
+MVC (Model View Controller) frameworks, like:
+
+* [Ruby on Rails](http://rubyonrails.org)
+* [Sinatra](http://www.sinatrarb.com)
+* [Padrino](http://www.padrinorb.com)
+
+Codesake::Dawn version 1.1 has 171 security checks loaded in its knowledge
+base. Most of them are CVE bulletins applying to gems or the ruby interpreter
+itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
+
+Writing safe code it's important, but sometimes security issues are introduced
+by third party code your application relies on. As example, consider a SQL
+Injection vulnerability introduced by Ruby on Rails framework. 
+
+Despite the effort you spend in sanitizing inputs, your web application
+inherits the vulnerability suffering as well. An attacker can easily exploit it
+and break into your database unless you upgrade the offended gem.
+
+There is a comprehensive set of command line flags you can read more by issuing
+```dawn --list-knowledge-base``` flag or by reading [project
+README](https://github.com/codesake/codesake-dawn/raw/master/README.md) file.
+
+The list of security checks included in version 1.1.0 can be found online at:
+[http://dawn.codesake.com/knowledge-base](http://dawn.codesake.com/knowledge-base).
+
+You can use [facilities provided by
+github](https://github.com/codesake/codesake-dawn/issues) to submit bug
+reports, product enhancements, new security checks you want to me to add in
+future releases and even success stories.
+
+Now it's time for you to install Codesake::Dawn version 1.1.0 with the
+following command and start reviewing your code for security issues:
+
+```
+$ gem install codesake-dawn
+```
+
+You can find the announcement on the web here: [http://dawn.codesake.com/blog/announce-codesake-dawn-v1-1-0-released/](http://dawn.codesake.com/blog/announce-codesake-dawn-v1-1-0-released/)
+Enjoy it!
+Paolo - paolo@codesake.com
+
+## Twitter announcement
+
+### version 1.1.0
+@dawnscanner version 1.1.0 is out. 171 security checks. Improved output and more. Read the announcement: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-1-0-released/ #ruby #rails #sinatra #padrina #security #scanner
+
+## Linkedin announcement
+
+### version 1.0.0
+@dawnscanner version 1.1.0 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 171 CVE bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box.
+
+$ gem install codesake-dawn
+$ have fun
+
+## HN Link
+## Reddit

data/doc/dawn_1_2_announcement.md

@@ -0,0 +1,69 @@
+## Press announcement
+
+Today, the XXX ?nd 2014, the second minor Codesake::Dawn rubygem version it has
+been released.
+This will be the last release of the codesake-dawn gem with this name. Starting
+form November, 7th we will rename the gem to just dawn.
+
+Codesake::Dawn is a source code scanner designed to review your code for
+security issues.
+
+Codesake::Dawn is able to scan your ruby standalone programs but its main usage
+is to deal with web applications. It supports applications written using majors
+MVC (Model View Controller) frameworks, like:
+
+* [Ruby on Rails](http://rubyonrails.org)
+* [Sinatra](http://www.sinatrarb.com)
+* [Padrino](http://www.padrinorb.com)
+
+Codesake::Dawn version 1.2 has 180 security checks loaded in its knowledge
+base. Most of them are CVE or OSVDB bulletins applying to gems or the ruby
+interpreter itself. There are also some check coming from Owasp Ruby on Rails
+cheatsheet.
+
+Writing safe code it's important, but sometimes security issues are introduced
+by third party code your application relies on. As example, consider a SQL
+Injection vulnerability introduced by Ruby on Rails framework.
+
+Despite the effort you spend in sanitizing inputs, your web application
+inherits the vulnerability suffering as well. An attacker can easily exploit it
+and break into your database unless you upgrade the offended gem.
+
+There is a comprehensive set of command line flags you can read more by issuing
+```dawn --list-knowledge-base``` flag or by reading [project
+README](https://github.com/codesake/codesake-dawn/raw/master/README.md) file.
+
+The list of security checks included in version 1.2.0 can be found online at:
+[http://dawn.codesake.com/knowledge-base](http://dawn.codesake.com/knowledge-base).
+
+You can use [facilities provided by
+github](https://github.com/codesake/codesake-dawn/issues) to submit bug
+reports, product enhancements, new security checks you want to me to add in
+future releases and even success stories.
+
+Now it's time for you to install Codesake::Dawn version 1.2.0 with the
+following command and start reviewing your code for security issues:
+
+```
+$ gem install -P MediumSecurity codesake-dawn
+```
+
+You can find the announcement on the web here: [http://dawn.codesake.com/blog/announce-codesake-dawn-v1-2-0-released/](http://dawn.codesake.com/blog/announce-codesake-dawn-v1-2-0-released/)
+Enjoy it!
+Paolo - paolo@codesake.com
+
+## Twitter announcement
+
+### version 1.2.0
+@dawnscanner version 1.2.0 is out. 180 security checks and some bug fixes. Read the announcement: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-2-0-released/ #ruby #rails #sinatra #padrina #security #scanner
+
+## Linkedin announcement
+
+### version 1.2.0
+@dawnscanner version 1.2.0 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 180 CVE and OSVDB bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box.
+
+$ gem install codesake-dawn
+$ have fun
+
+## HN Link
+## Reddit

data/features/dawn_complains_about_an_incorrect_command_line.feature.disabled

@@ -0,0 +1,21 @@
+Feature: dawn complains on its command line when incomplete
+  When executed dawn needs a target to analyse
+
+  Scenario: dawn complains if you don't specify the target framework
+    When I run `bundle exec dawn`
+    Then the stderr should contain "missing target"
+
+  Scenario: dawn complains if you don't specify the target
+    When I run `bundle exec dawn -s`
+    Then the stderr should contain "missing target"
+
+  Scenario: dawn complains if the target doesn't exist
+    Given the generic project "/tmp/this_is_foo" doesn't exist
+    When I run `bundle exec dawn -s /tmp/this_is_foo`
+    Then the stderr should contain "invalid directory (/tmp/this_is_foo)"
+
+  Scenario: dawn complains if the target uses a different framework than the one specified
+    Given the hello world rails project does exist
+    When I run `bundle exec dawn -s /tmp/hello_world_3.2.13`
+    Then the stderr should contain "nothing to do on /tmp/hello_world_3.2.13"
+

data/features/dawn_scan_a_secure_sinatra_app.feature.disabled

@@ -0,0 +1,31 @@
+Feature: dawn reports no security issues 
+  When it scans a sinatra application that it is updated and it has no XSS
+
+  Scenario: dawn detects the sinatra version
+    Given a safe sinatra application exists
+    When I run `bundle exec dawn /tmp/sinatra-safe`
+    Then the stdout should contain "1.4.2"
+
+  Scenario: dawn tells there are no vulnerabilities
+    Given a safe sinatra application exists
+    When I run `bundle exec dawn /tmp/sinatra-safe`
+    Then the stdout should contain "no vulnerabilities found"
+
+    # Test for --output json
+  Scenario: dawn can give a brief json output as well
+    Given a safe sinatra application exists
+    When I run `bundle exec dawn -s /tmp/sinatra-safe --output json`
+    Then the stdout should contain "{\"status\":"OK",\"target\":"/tmp/sinatra-safe",\"mvc\":"sinatra",\"mvc_version\":"1.4.2",\"vulnerabilities_count\":0,\"vulnerabilities\":[],\"mitigated_vuln_count\":0,\"mitigated_vuln\":[],\"reflected_xss\":[]}"
+
+
+    # Tests for --count-only option
+  Scenario: dawn can give just the number of issues found as output
+    Given a safe sinatra application exists
+    When I run `bundle exec dawn --count-only -s /tmp/sinatra-safe`
+    Then the stdout should contain "0"
+
+  Scenario: dawn can give just the number of issues found as output
+    Given a safe sinatra application exists
+    When I run `bundle exec dawn --count-only -s /tmp/sinatra-safe --output json`
+    Then the stdout should contain "{\"status\":"OK",\"vulnerabilities_count\":0}"
+